WaPo writes about vulnerabilities in Supermicro IPMIs
Jonathan Lassoff
jof at thejof.com
Fri Aug 16 02:56:36 UTC 2013
The primary point of IPMI for most users is to be able to administer and
control the box when it's not running.
Using the host itself as a firewall is the quickest way to get that BMC
online, but it kinda defeats the purpose.
On Thu, Aug 15, 2013 at 7:46 PM, Jay Ashworth <jra at baylink.com> wrote:
> ----- Original Message -----
> > From: "Brandon Martin" <lists.nanog at monmotha.net>
>
> > As to why people wouldn't put them behind dedicated firewalls, imagine
> > something like a single-server colo scenario. Most such providers don't
> > offer any form of lights-out management aside from maybe remote reboot
> > (power-cycle) nor do they offer any form of protected/secondary network
> > to their customers. So, if you want to save yourself from a trip, you
> > chuck the thing raw on a public IP and hope you configured it right.
>
> Well, *I* would firewall eth1 from eth0 and cross-over eth1 to the ILO
> jack;
> let the box be the firewall. Sure, it's still as breakable as the box
> proper, but security-by-obscurity isn't *bad*, it's just *not good enough*.
>
> It's another layer of tape.
>
> Whether it's teflon or Gorilla is up to you.
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth Baylink
> jra at baylink.com
> Designer The Things I Think RFC
> 2100
> Ashworth & Associates http://baylink.pitas.com 2000 Land
> Rover DII
> St Petersburg FL USA #natog +1 727 647
> 1274
>
>
More information about the NANOG
mailing list